Information Technology Reference
In-Depth Information
highly depends on those state variables. The usage of a concrete model for
the CPU semantic is more complex, but allows to perform CPU specific
analyses. For example, registers may be highlighted to observe the faulty
behavior, e.g., for a subsequent manual debugging session. A concrete model
of the SIMATIC S7 CPU is used in this work. The SIMATIC S7 operates on
a 16-bit status word, two 32-bit accumulators, and a nesting stack that stores
intermediate results. Operations up to a bit-width of 32 are supported [16].
Technically, the IL program is translated to
SystemC
[20] by augmenting
the behavioral information of the underlying CPU as described in [18]. Af-
terwards, the augmented implementation is analyzed with the parser of [8] to
construct a CDFG representation similar to a netlist on RTL [19]. Depend-
ing on the chosen instruction, one instruction in IL corresponds to
t,
<t,
nodes in the CDFG. For example, the instruction
L
(Load) operates on the
accumulator and requires two assign nodes (one for each accumulator). Other
instructions operate on the 16-bit status word of the CPU, e.g.,
JC
(
J
ump
C
onditional) evaluates and updates four bits of the status word. The refer-
ence to the original instruction in IL is kept for each node in the CDFG.
Thus, the selection of at least one of the
t
nodes of an instructions enables
to mark the instruction itself.
Faults in software that change the output behavior of the IL program
and that are observable at least at one observation point are considered.
Thereby, an observation point may be any program state, internal variable,
or primary output. Methods for verification are capable to provide one failure
trace or in more general a set of
m
failure traces. The cause of faults in
PLC hardware is most likely physical (e.g. due to aging) than logical (e.g. a
missing instruction). However, the extension to debug faults in the underlying
hardware is a possible extension for future work.
Without loss of generality, let a failure trace consists of:
0
- an input stimuli
I
to activate the fault,
- asetof
R
observation points
OP
i
and its faulty responses under
I
:
v
faulty
(
R
,
- asetof
R
expected responses for each observation point:
v
expected
(
OP
i
)
,
1
≤
i
≤
OP
i
)
,
1
≤
i
≤
R
An input stimuli
I
defines values for primary inputs and values for state
variables with respect to a single PLC cycle. The faulty behavior is observable
at least at the
R
observation points. Thus, simulating the PLC program with
respect to the input stimuli
I
yields a pairwise distinct at all observation
points:
R
. The expected responses
are automatically obtained by simulating the stimuli
I
on a reference model.
Components
are used to explain the faulty behavior. In general, a compo-
nent may be of any granularity, e.g., a set of instructions, a single instruction,
or a single operand. However, the complexity of diagnosis increases with the
granularity. Without loss of generality, single instructions in IL are considered
as components in this work only.
∀
i
:
v
faulty
(
OP
i
)
=
v
expected
(
OP
i
)
,
1
≤
i
≤
